SecureTheVillage

Cybersecurity News of the Week

Cybersecurity News of the Week, July 30, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This week’s Top of the News is the release of IBM’s Annual Cost of a Data Breach Report.

Of special interest is the not surprising finding that victims prefer to pass the costs of cybercrime to their customers rather than invest in cybersecurity.

This is a particularly disturbing finding as an investment in cybersecurity lowers both the frequency of a cyber incident and the cost of the breach.  This makes investment a positive good for the company and a net good for the economy. It also shows a failure to invest in reasonable cybersecurity as a penny-wise but pound-foolish strategy.

A failure to invest in reasonable cybersecurity is also becoming an unsustainable strategy as (i) cyber criminals embed AI in their technology which is increasing both the frequency and severity of a cyber attack and (ii) more businesses are required by laws, regulations, contracts, and insurance to implement reasonable cybersecurity controls and ensure their vendors do the same.

We provide two stories on the report. The first is IBM’s report summary with a link to the download the report. The second, from DARK Reading, positions the report in the context of the MOVEit campaign from which the cybercriminal CLOp gang is expected to breach more than 1,000 organizations and clear over $100M. (See This Week in Cyber Crime below).

  • IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs: AI/Automation cut breach lifecycles by 108 days; $470,000 in extra costs for ransomware victims that avoid law enforcement; Only one third-of organizations detected the breach themselves. …  IBM (NYSE: IBM) Security today released its annual Cost of a Data Breach Report,1 showing the global average cost of a data breach reached $4.45 million in 2023 – an all-time high for the report and a 15% increase over the last 3 years. Detection and escalation costs jumped 42% over this same time frame, representing the highest portion of breach costs, and indicating a shift towards more complex breach investigations.
  • Orgs Face Record $4.5M Per Data Breach Incident: Cl0p stands to make $100M on the MOVEit campaign, and according to a just-released survey, more than half of businesses are willing to pass data breach costs onto customers. … The average cost per data breach for business in 2023 jumped to $4.45 million, a 15% increase over three years. But instead of investing in cybersecurity, 57% of breached organizations told IBM they were inclined to just pass those costs onto consumers.

Some highlights from this year’s report.

  • The Cost of Silence – Ransomware victims in the study that involved law enforcement saved $470,000 in average costs of a breach compared to those that chose not to involve law enforcement. Despite these potential savings, 37% of ransomware victims studied did not involve law enforcement in a ransomware attack.
  • Detection Gaps – Only one third of studied breaches were detected by an organization’s own security team, compared to 27% that were disclosed by an attacker. Data breaches disclosed by the attacker cost nearly $1 million more on average compared to studied organizations that identified the breach themselves.
  • Breaching Data Across Environments – Nearly 40% of data breaches studied resulted in the loss of data across multiple environments including public cloud, private cloud, and on-prem—showing that attackers were able to compromise multiple environments while avoiding detection. Data breaches studied that impacted multiple environments also led to higher breach costs ($4.75 million on average).

New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter, for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. We feature info on how to freeze your credit and what ‘marriage scams’ are in Edition 1. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week … Cybercrime Support Network

Kudos this week to the Cybercrime Support Network, a nonprofit that helps individuals and small businesses impacted by cybercrime. As a leading voice for cybercrime victims, the Cybercrime Support Network is dedicated to serving those affected by the ever growing impact of cybercrime before, during, and after. Founded in 2017, Cybercrime Support Network (CSN) connects victims to resources, increases cybercrime and online fraud reporting, and decreases revictimization. Since November 2018, CSN has provided help to over 1,000,000 individuals and small businesses via FightCybercrime.org and ScamSpotter.org. Like SecureTheVillage, the Cybercrime Support Network is a fellow-member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

China Cyber Espionage: A Clear and Present Danger: (Video) (Podcast): Last week’s Top of the News was on China’s espionage attacks on the United States. Join Stan and Julie as they delve into the critical matter of China’s cyber espionage activities against the US. In addition to government espionage, China is estimated to steal $600 Billion a year of America’s technology and other intellectual property. We should no more be surprised to discover China in our computer systems, than to see a pride of lions feasting on a zebra. Stan and Julie discuss the implications of this espionage on our midsize and smaller businesses, and on individuals. They advocate for robust cybersecurity practices, including proactive defense strategies and vigilant protection of business IP, to counter the escalating cyber threats.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

To help  you and your loved ones stay safe, here’s an excellent guide from Consumer Reports on staying safe from scams. Download this and share it with people you know.

  • The Consumer Reports Scam Protection Guide: It’s harder than ever to tell if that email, text, or phone call is from someone trying to steal your money, personal information, or both. What you need to know now.
    • New Text Scams
    • Latest Phone Scams
    • Suspicious Emails
    • Facebook Frauds
    • Watch Out for This ATM Card Scam
    • Be Careful With QR Codes
    • Can You Block Scammers?
    • 7 Smart Security Steps

Another sad story of a scam. Let’s remind people to be careful out there.

  • Scammer impersonates cybersecurity brand to steal almost $2,000 from Lancaster County woman : LINCOLN, Neb. (KOLN) – The Lancaster County Sheriff’s Office (LSO) wants to remind people to not make payments with gift cards after a 70-year-old Raymond woman was scammed out of almost $2,000. … On Tuesday, LSO said the woman originally received an email saying she needed to make a payment to her Norton LifeLock cybersecurity account and was supposed to call a number listed in the email for instructions on how to make the payment. … When the woman called the number she spoke with a man with an accent who told her she needed to pay for her subscription renewal with Target gift cards, LSO said. … While on the phone with the man, the woman drove from Raymond to two different Target locations in Lincoln. At the first Target location, she purchased two $499 gift cards, totaling $998. At the second Target location she purchased a $499 gift card and a $399 gift card, totaling $898. In total, she purchased $1,896 worth of Target gift cards. She then gave him the card numbers.

And don’t click the ads on Facebook. You could end up being hacked!!

  • Facebook is being flooded with fake ads that are actually malware: Watch out for malicious Facebook ads promising advanced AI. … A new report from Check Point has uncovered the extent of fake ads plaguing social media platforms, particularly Facebook, in order to spread malware. … The company found evidence of scammers creating fake pages pretending to be top artificial intelligence (AI) companies in a move that sees them capitalizing on the growing appetite for the technology.

Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.

Lots of government cybersecurity news this week, including a surprising op-ed by Elizabeth Warren and Lindsey Graham.

  • Lindsey Graham and Elizabeth Warren: When It Comes to Big Tech, Enough Is Enough: The digital revolution promised amazing new opportunities — and it delivered. Digital platforms promoted social interaction, democratized information and gave us hundreds of new ways to have fun. … But digital innovation has had a dark side. Giant digital platforms have provided new avenues of proliferation for the sexual abuse and exploitation of children, human trafficking, drug trafficking and bullying and have promoted eating disorders, addictive behaviors and teen suicide. Parents like Kristin Bride, whose teenage son killed himself after being mercilessly cyberbullied, have shared heartbreaking stories with Congress and the public about the potentially deadly consequences.

The Securities and Exchange Commission has adopted new rules. As pointed out by our colleague, Bob Zukis of the Digital Directors Network, the rules fall short of ensuring CISOs will have the necessary Board support.

  • SEC now requires companies to disclose cyberattacks in 4 days: The U.S. Securities and Exchange Commission has adopted new rules requiring publicly traded companies to disclose cyberattacks within four business days after determining they’re material incidents. … According to the Wall Street watchdog, material incidents are those that a public company’s shareholders would consider important “in making an investment decision.”
  • Cyber Experience on Boards Still Seen as Critical in New SEC Rules: Companies don’t have to say which directors have cyber knowledge, but for proper oversight, they must have it, security chiefs and others say. … The Securities and Exchange Commission dropped a provision that would have required companies to disclose which board directors had significant cybersecurity knowledge of or experience. … Companies will no longer need to say if their boards have cybersecurity experts under new rules from U.S. financial regulators, but that hasn’t diminished the importance of having them available, company directors say.
  • The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs: The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some respects, the SEC basically let the boardroom largely slip off the hook for cybersecurity governance accountability…for now.

The UK moves closer to passing its Online Safety Bill. The Electronic Frontier Commission takes issue on behalf of people’s right to privacy. As we wrote in a recent Top of the News and discussed on a recent Podcast, this is a complex subject that isn’t going away.

  • The U.K. Government Is Very Close To Eroding Encryption Worldwide: The U.K. Parliament is pushing ahead with a sprawling internet regulation bill that will, among other things, undermine the privacy of people around the world. The Online Safety Bill, now at the final stage before passage in the House of Lords, gives the British government the ability to force backdoors into messaging services, which will destroy end-to-end encryption. No amendments have been accepted that would mitigate the bill’s most dangerous elements. 

The White House filled a vital cybersecurity role. Awaits Senate approval.

  • Former NSA insider Coker is White House pick for national cyber director: President Joe Biden on Tuesday announced he intends to nominate Harry Coker, a former executive director of the National Security Agency, to be the country’s national cyber director. … If confirmed by the Senate, Coker would fill a role that has been vacant ever since Chris Inglis, the first-ever cyber czar and a former NSA deputy director, stepped down in February. … Coker would be responsible for implementing the administration’s first-of-its-kind national cybersecurity strategy, which was unveiled earlier this year.

The White House has been active on the AI front, gaining commitments from seven AI companies to develop products that are safe, secure, and trustworthy. We’ll see.

  • Biden sure seems serious about not letting AI get out of control: Some AI companies have made safety commitments. Is that enough? … In its continuing efforts to try to do something about the barely regulated, potentially world-changing generative AI wave, the Biden administration announced today that seven AI companies have committed to developing products that are safe, secure, and trustworthy. … Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI are the companies making this voluntary commitment, which doesn’t come with any government monitoring or enforcement provisions to ensure that companies are keeping up their end of the bargain and punish them if they aren’t. It shows how the government is aware of its responsibility to protect citizens from potentially dangerous technology, as well as the limits on what it can actually do.

While on the subject of AI, Bruce Schneier and his colleagues have written a provocative piece that should serve as an AI warning. Who is your AI buddy really working for?

Two privacy stories make this week’s news. The first is an excellent summary of State Privacy Laws by the nonprofit IAPP. The second is a lawsuit.

  • US State Privacy Legislation Tracker: State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the U.S. to help our members stay informed of the changing state privacy landscape. This information is compiled into a map, a detailed chart identifying key provisions in the legislation, and links to enacted state comprehensive privacy laws. Last Updated: 21 July 2023.
  • Transgender Patients Sue Hospital For Giving Records To Tennessee’s Attorney General: Two patients sued Vanderbilt University Medical Center for violating their privacy by turning their records over to Tennessee’s attorney general.

This Week in Cybercrime.

Section 4 – Managing  Information Security and Privacy in Your Organization.

Alert your IT provider to check if you’re one of the 40,000,000 US Ubuntu users.

  • Almost 40% of Ubuntu users vulnerable to new privilege elevation flaws: Two Linux vulnerabilities introduced recently into the Ubuntu kernel create the potential for unprivileged local users to gain elevated privileges on a massive number of devices. … Ubuntu is one of the most widely used Linux distributions, especially popular in the U.S., having an approximate user base of over 40 million.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge

SUPPORT US

SecureTheVillage is a community-based response to the cybersecurity and privacy crisis. We are a 501c(3) nonprofit with a vision of a cybersecure global village. We invite you to join with us as together we make the vision a reality. It takes the village.

Be a CyberPartnerDonate